OpenLDAP and MemberOf in Zarafa

From Zarafa wiki

With ADS you automatically have the MemberOf operational attribute. With OpenLDAP this is different and a default OpenLDAP installation doesn't have the MemberOf operational attribute. This results in the fact that WebAccess and Outlook do NOT show any members in the MemberOf tab of the addressbook:

The picture below shows an empty MemberOf list in the addressbook while this user is a member of "Group2":

Contents

Configuring OpenLDAP

In OpenLDAP you can get the MemberOf operational attribute by loading the module "memberof.la". Add the following to the slapd.conf:

moduleload memberof.la

The next thing to do is to create the "memberof" overlay. Add the following to the slapd.conf (after loading the module):

overlay memberof

Restart OpenLDAP after these changes.

Theoretically we now have the MemberOf operational attribute, however we will need to define our groups, as this overlay doesn't work on "posixGroup" entries. For this overlay to work correctly we will need to create "groupOfNames" entries within OpenLDAP.

NOTE: The "groupOfNames" objectclass doesn't allow the "posixGroup" account. Therefore you are not allowed to add the attribute "gidNumber" to the ldap record.

Configuring Zarafa

LDAP Configfile

Being not able to use "gidNumber" inside a "groupOfNames" we will need to change the "ldap_group_unique_attribute" in the ldap config of zarafa. In this example we will use the "cn" as unique group identifier. Whatever you choose here, remember that this is a UNIQUE identifier which means that it needs to be UNIQUE.

ldap_group_unique_attribute = cn

NOTE: Changing the "ldap_group_unique_attribute" means that ALL groups will be deleted and recreated by Zarafa.

Also in the ldap config of zarafa check the membership relations. In our example we changed the following: